New OpenSSL Bug Exposed

On the 10th of July a new bug was announced in the OpenSSL library. This is the library used by many websites and tools to manage TLS/SSL.

How does it Affect My1Login?

Before we go onto discuss the bug, how it works and what it does, it's important to say that it does not affect My1Login services or our customers.

What is it?

Unlike Heartbleed, which affected servers, this new bug mainly affects end-user products (such as web-browsers, VPN tools, etc.). It's potentially very serious in that it allows a website to present an invalid SSL certificate, but to have the end-user application treat it as though it were valid - so an SSL website can be easily impersonated. 

 Credit: GitHub

What do I need to do?

With regards to your My1Login account, nothing. It is not affected. With regards to general web usage, the actual reach of the new bug is limited as most of the major browsers do not use OpenSSL and are therefore not affected. Additionally, the bug has been caught quickly by OpenSSL. While it was present in pre-release code since January, the affected code has only been officially released by OpenSSL for the past month. Therefore very few applications are likely to have been released that contain it.

Google Chrome, Mozilla Firefox, IE and iOS all use Boring SSL and not OpenSSL. As a result if you use these browsers you are unnafected. Android uses both Boring SSL and OpenSSL, depending on the operating system version. However, individual apps on mobile devices typically use their own code for verifying certificates. This means any individual app could potentially be vulnerable. To mitigate this risk, as it may take several weeks for the fixes to be rolled out by all vendors, our advice is to rely on browsers that are not vulnerable to the bug over individual apps.

Further information can be obtained from OpenSSL themselves here.